CN1973569A - Method for securing an authentication and key agreement protocol - Google Patents

Method for securing an authentication and key agreement protocol Download PDF

Info

Publication number
CN1973569A
CN1973569A CNA2005800205142A CN200580020514A CN1973569A CN 1973569 A CN1973569 A CN 1973569A CN A2005800205142 A CNA2005800205142 A CN A2005800205142A CN 200580020514 A CN200580020514 A CN 200580020514A CN 1973569 A CN1973569 A CN 1973569A
Authority
CN
China
Prior art keywords
token
data
mac
key derivation
individual token
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2005800205142A
Other languages
Chinese (zh)
Other versions
CN1973569B (en
Inventor
斯特凡尼·萨尔加多
乔治·埃伯兰-斯维拉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Gemalto Oy
Original Assignee
Axalto SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Axalto SA filed Critical Axalto SA
Publication of CN1973569A publication Critical patent/CN1973569A/en
Application granted granted Critical
Publication of CN1973569B publication Critical patent/CN1973569B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Telephonic Communication Services (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention concerns a personal token for a mobile terminal in a communication network including an authentication server and a secure server producing derived key material on the basis of a random and a secret key (K) for use in an authentification and key agreement (AKA) procedure in a third-generation mobile system, said personal token including program instructions for re-computing the derived key material (Ck, Ik) on the basis of the received random and the secret key (K) as stored in the personal token, characterized in that the personal token includes program instructions for using a re-computed part of the derived key material in order to interpret the received additional data. This modification of the standard AKA procedure allows the personal token to keep the key material unavailable to the mobile terminal.

Description

Be used to protect the method for Authentication and Key Agreement agreement
Technical field
The present invention relates to communication network, specifically, relate to the Authentication and Key Agreement agreement in such network.
Background technology
Authentication and Key Agreement (AKA) agreement is widely used in the cable and wireless environment, in order to two proof of identification and key materials between the interconnection entities to be provided.A typical example is to the wireless subscriber that authenticate, cellular network service of the server in the network.
In the AKA process, relate to different entities or equipment.
The terminal HT that holds place (host) individual token (for example mobile phone) intercoms mutually with certificate server (AS).Individual token and the identical secret keys K of security server storage are also referred to as master key.
In common AKA agreement (for example, being used for realizing secure data transmission), certificate server and host's terminal (hosting terminal) HT can both use the key of deriving from master key, i.e. Integrity Key Ik and cryptographic key Ck.Such key Ik and Ck derive from master key, and wherein master key is enjoyed by security server on the one hand, is also enjoyed by individual token on the other hand.
In other cases, that is, in special AKA process, can make the use of host's terminal forfeiture to Integrity Key Ik and cryptographic key Ck, that is, the key of these derivation is considered to necessarily can not openly give the sensitive data of host's terminal.
The process that is used to carry out normal AKA process is described below with reference to Fig. 1.
Typically, security server SS selects a randomized array RAND.Use RAND together with algorithm that is called as AKAAlg and the secret keys K that only shared by security server SS and individual token, security server SS produces Ciphering Key (AV).
Ciphering Key AV is made up of following component at least: the key material (DKM) of Initial R AND, end value (RES), some derivation and message authentication code (MAC), key Ik and Ck that the key material that some of them derive is derived typically.Then Ciphering Key AV is delivered to certificate server AS.
Certificate server AS will be worth RAND, MAC value and other possible data and send to host's terminal HT.Then, host's terminal sends to individual token SE with them.
Individual token SE uses secret keys K that is stored and the parameter (RAND, MAC at least) that receives to move the AKAAlg algorithm.
Individual token SE recomputates MACT based on the secret keys K that shares and based on the RAND that receives.
Then, be individual token SE compares the MACT value that recomputates with the MAC value that receives (MAC=MACT?), so that carry out certain integrity check and might carry out the verification process of certificate server.
Then, individual token SE calculates RES.
Host's terminal sends to certificate server with RES, makes the serviced device of individual token authenticate.At last, certificate server AS is by relatively authenticating individual token from the RES of host's terminal reception and the XRED value that receives from security server SS.
Individual token SE also calculates the key Ik and the Ck of derivation, and they and RES are sent to host's terminal together.Host's terminal uses the key of deriving to carry out further safety operation at AS.
An example of this Basic Authentication AKA process is the UMTS AKA of definition in 3GPP TS 33.102.
The AKA normal processes of being explained is very suitable for providing sharing of key material between safety certification and host's terminal HT and the certificate server AS.Yet, under some particular environment, need in individual token, handle the AKAAlg algorithm in a different manner.For example, under some particular environment, be necessary that the key Ik that will derive and Ck or their part are considered as sensitive data, thereby prevent that them from being leaked the terminal to the host, that is, the key Ik and the Ck of derivation are maintained at individual token inside, and are not passed to host's terminal.
In these specific situations, be exactly that host's terminal can not use standard A KA or any other process to obtain the key of derivation for a basic demand of multiple situation.
Target of the present invention provides and a kind ofly is used to avoid the key that will derive to leak scheme to host's terminal.
More generally say, exist some specific verification process all to be based on normal AKA process, but they are different in some aspects, these aspects can be any kind.Same individual token may experience different reactions according to the different AKA process that may run in its lifetime.
Second target of the present invention is to propose a kind of mode to show that effectively a certain concrete verification process is necessary for individual token.
Description of drawings
With the lower part described provide as non-limitative example, the preferred embodiments of the invention and the embodiment that is designed for the system of this embodiment, after having read this description with reference to the accompanying drawings, will know other purpose of the present invention, feature and advantage, in the accompanying drawings:
Fig. 1 is the schematic diagram of the different step of known AKA process;
Fig. 2 is based on the schematic diagram according to the different step of process of the present invention of AKA.
Embodiment
System according to the present invention shown in Figure 2 comprises different entities or equipment, and is identical with entity that relates in the AKA process or equipment.
This system comprises the terminal HT that holds place individual token SE.In a specific embodiment, host's terminal HT can be that mobile phone or more upper ground individual token are accommodated equipment; The individual token equipment of accommodating can have following form: promptly be provided with and be used to receive the sky of individual token or the shell of groove; But also can have other form, as long as allow individual token to be communicated with the individual token equipment of accommodating;
The security server SS that this system comprises certificate server AS and communicates by letter with certificate server remains with secret keys or master key K in this security server;
Individual token or safety element SE are hosted among the terminal HT.Host's terminal HT communicates by letter with token.
Secret keys K also is retained in the token, but does not leak to host's terminal HT.Many known, secret keys K is the shared secret between individual token and security server.
In a specific embodiment, individual token (SE) is the card that has integrated circuit, is also referred to as smart card.
The present invention relates to protect Authentication and Key Agreement (AKA) process, promptly allow the process of setting up key material and two proofs of identification between the interconnection entities being provided.
Present embodiment allows to avoid leaking the key of deriving to host's terminal HT, and for example Integrity Key Ik or cryptographic key Ck promptly avoid leaking the key material of derivation or its part to host's terminal HT.
Process according to present embodiment may further comprise the steps:
Host's terminal HT sends the HTTP request to certificate server, request AKA process.The AKA process also can be asked by certificate server.
AS is equipped with standard authentication vector (the AV) (step 1) among Fig. 2 from security server (SS).
Ciphering Key (AV) is made up of following component at least: Initial R AND, end value RES and the key material (being referred to below as DKM) of deriving are key derivation Ik and Ck and message authentication code (MAC).
In an advantageous embodiments, whether certificate server AS specifically is based on the user security setting (USS) that is associated with the individual token that runs into and determines the modification of MAC necessary according to the attribute of the individual token (being also referred to as authentication token) that runs into.Being provided with like this can be stored in certificate server one side in advance, perhaps can receive from individual token by terminal HT.
For the individual token of some type, Ik and Ck are not considered to sensitive data, at this moment can use normal AKA process, that is, unmodified MAC is sent to token with the RAND value, then, by individual token key derivation are sent to host's terminal HT.
But suppose that according to the user security setting, key derivation will be hidden, then certificate server AS takes out the MAC value from Ciphering Key AV, and uses one of key derivation to calculate the modification of described MAC.Like this, use at least a portion of key derivation material DKM that MAC is revised.
As an example that uses key derivation material modification MAC, this modification can be MAC *=M (MAC, DKM *), DKM wherein *Be one of key derivation material DKM and revise part, for example based on the modification value Ik of Integrity Key Ik value *
Integrity Key Ik and cryptographic key Ck derive from master key K by the calculating process that security server is carried out.
Will explain that below described secret master key K also is stored among the individual token SE,, in individual token, also may carry out such derivation operation as long as token has received RAND.Therefore, master key K constitutes the shared secret between individual token and the security server.
Based on one of the key derivation Ik that receives from security server SS and Ck, certificate server AS calculates the modification of at least a portion of key derivation material, that is, and and the DKM that calculating is represented above *Parameter.For example, certificate server AS gets preceding 64 of the known function (sha-1) that acts on Integrity Key Ik:
Ik *=Trunc(SHA-1(IK))
The Trunc representative (SHA-1) is the known hash function that acts on Integrity Key Ik to blocking that export the position of (SHA-1).
MAC *Can calculate in the following manner (step 3) among Fig. 2:
MAC *=MAC?XOR?Trunc(SHA-1(IK))
At formula MAC *=MAC XOR DKM *In, according to key derivation material DKM *The described understanding of revising part, the modification of MAC is preferably reversible;
In case certificate server AS calculates modification value MAC *, certificate server AS just with RAND together with MAC *And send to host's terminal HT (step 4) among Fig. 2 together such as SQN, AK, AMF equivalence.Identical message for example is used to send those different data.
The RES value keeps being stored in the certificate server.
Then, host's terminal HT is with RAND, MAC *, SQN, AK, AMF (may also have other values) send to the individual token SE (step 5) among Fig. 2.
In individual token SE, carry out additional algorithm AKAAlg in the following manner:
Individual token SE calculates key derivation Ck and Ik and RES value, in individual token, can finish these calculating, because individual token stores master key K and just received RAND, the two is for calculating Ck and Ik and all being necessary for calculating RES.
At this moment, Ck and Ik are present among certificate server AS and the individual token SE, but are not present among host's terminal HT.Therefore, up to the present, these ciphering key k and Ik can be considered to sensitive data, because they do not leak to host's terminal HT.
In this example, individual token is then based on the MAC that receives *And carry out the calculating of unmodified MAC based on the Ik that recomputates.
So far, individual token SE calculates the Integrity Key Ik that revises *, i.e. the modification part DKM of key derivation material DKM *
Ik *=Trunc(sha-1(IK))
Then, individual token calculates and the modification value MAC that receives *Corresponding MAC value:
MACC=M ' (MAC *, Ik *), i.e. MACC=M ' (MAC *, DKM *), wherein M ' is the inverse function of the employed M of AS, i.e. MACC=MAC under present case *XORIk *(the step 6) among Fig. 2.Individual token SE and certificate server AS know invertible function M ' in advance.
In the above specific example that provides, M ' is calculated as following calculating: MACC=MAC *XOR Trunc (SHA-1 (Ik)).
Token also calculates MACT, i.e. the MAC value that calculates based on RAND and master key K.Generally speaking, MAC also will depend on the parameter S QN and the AMF of transmission.
Then, MACT and MACC compare the (step 7) among Fig. 2.
As mentioned above, M is invertible function preferably, and the key derivation that uses when calculating the MAC that revises all is known on both sides.
In another embodiment of the present invention, M can not be reversible.In such circumstances, individual token recomputates the MAC value, recomputates the modification of MAC value then, and the modification MAC value that will receive then compares with the MAC value that recomputates and remodify.
Relatively a kind of mode of MACC and MACT is the cascade of comparison MACT and other values and the cascade of MACC and other values, for example compares (SQN xor AK ‖ AMF ‖ MACT) and (SQN xor AK ‖ AMF ‖ MACC), and ‖ is the cascade symbol in the following formula.
If MAC is more unsuccessful, promptly MACT seems different with MACC, and it is more unsuccessful that then individual token is notified host's terminal HT MAC.
If MAC is more successful, individual token SE calculates RES and sends it to host's terminal (step 8) among Fig. 2, and other data (DKM is Ik and Ck in this example) or its part are hidden in the token.Then, host's terminal sends to certificate server AS with RES (step 9) among Fig. 2 is carried out the authentication of individual token SE by certificate server AS.
In this example, individual token SE and certificate server AS will use the cascade (being called as Ks) of Ik and Ck to derive inside and outside NAF private key Ks_ext_NAF and Ks_int_NAF.
Inner NAF private key Ks_int_NAF is used to set up the escape way between individual token and the remote server, and this passage passes terminal HT, but terminal HT is stashed.
Outside NAF private key Ks_ext_NAF is used to set up the escape way between host's terminal HT and the remote server.
If MAC pass terminal before being sent to individual token SE not certified server A S revise, individual token SE moves according to normal processes so, promptly recomputates and check the value of MAC, and after authentication key derivation Ik and Ck is offered terminal.
In verification process, use a key derivation material or its part that MAC and any other data of being associated with RAND are carried out such modification, this itself just provides lot of advantages, and whether no matter a special process in two processes that provide might be provided.
Why Here it is can carry out the modification of MAC methodically, and can whether not revise the reason of taking various process according to MAC.
The modification of MAC has the advantage of the actual value of hiding MAC, thereby prevents that the RAND that swindles entity utilization association from coming decipher MAC, and does some value that may derive sensitive data like this.
Though stashed by such modification, MAC can also be by the individual token decipher, that is, token still can be checked the validity of MAC, because individual token has embedded the necessary key derivation material of this validity of check.
The modification of MAC also have prevent to swindle entity pick up transmission (RAND, MAC) right, and its playback given token so that obtain the advantage of Ck and Ik value conversely.
All these advantages are also set up for other data that together send with RAND.
Irrelevant with the advantage of above-mentioned hiding aspect, the possibility that whether can select to revise the data that MAC or another and RAND together transmit has the following advantages: showing effectively will be by card in response to so special process of modification execution.
In this situation, such modification shows sensitive data Ik and Ck is retained in the inner necessity of card to MAC.Same show can be used to indicate will in token, carry out a certain concrete process, no matter how this process may be different from is hidden the derivation key material.The MAC that revises can be interpreted as the special behavior that triggering will be carried out in response to described showing by this token by token.
Hiding under the situation that derives key material in addition, can comprise by showing of modification and impel token to inquire about a certain mark, for example together sending to the AMF parameter of token with RAND.So the particular value of AMF can be interpreted as a certain specific implication by token, for example command token is hidden Ik and Ck or any other process.Lacking such modification MAC, thereby can not guide under the situation of AMF mark, same card will be allowed to leak Ck and Ik value.
In such example, between the particular value of the AMF mark that the MAC that implication that whether MAC is modified and token are modified guides into, there is multiple combination.
By using the modification of the arbitrary value that together transmits with RAND, can use and above-mentioned identical process.Another value of MAC can be the value that is used in the calculating of MAC.Yet such value preferably is not used in calculates any key derivation material.
Other data that are modified so for example can be SQN.SQN can revise in the following manner, that is:
The for example following modification of certificate server SQN:SQN *=SQN XOR DKM *, send RAND, SQN then *With unmodified MAC (SS is calculated by unmodified SQN value and RAND).Then, token is carried out following operation.
At first, the token SQN that inspection receives according to the SQN rule (unmodified SQN or amended SQN *) whether be in the correct scope.
Secondly, two kinds of possible situations of token management.In first kind of situation, token hypothesis SQN did not revise.
So token checks whether SQN is in the correct scope.If SQN is in the correct scope, then token according to RAND, master key and typically the function of SQN and AMF calculate MACT, and relatively MACT and the MAC that receives.The MAC value is preferably calculated with unmodified data, promptly unmodified RAND, SQN and AMF.
If MAC=MACT, then token is determined normal AKA is taking place, thereby CK and IK are leaked.
Otherwise, second kind of situation of token management.
Token hypothesis SQN is modified, and therefore the value that receives is SQN *
So token computation DKM calculates DKM *, calculate SQN=SQN *XORDKM *, according to master key, RAND and typically the function of SQN and AMF mark calculate MACT, relatively MACT and the MAC that receives then.
If MACT is different with MAC, then refusal authentication.
Otherwise token confirms that SQN is in the correct scope, thereby does not leak CK and IK.
SQN or SQN *Can be in covert by AK and be sent out (thereby SQN xor AK or SQN xor DKM *Xor AK is sent out).
AMF can be modified simultaneously with SQN, for example carries out SQN_AMF *=(SQN ‖ AMF) xor DKM *
SQN, AMF and MAC also can be modified simultaneously, AUTH *=(SQN ‖ AMF ‖ MAC) xor DKM *
But RAND should not be modified when being used to calculate DKM.
Identical showing can be used to indicate about some sensitive data to host's terminal by card, typically implements certain specific purposes about the key derivation material require.At this moment, even the key derivation material is present among the SE, host's terminal also can take place to carry out described MAC process alone behind the AKAAlg in individual token.

Claims (31)

1. the authentication method in the network, this network comprise that security server, certificate server and at least one hold the terminal (HT) of place individual token (SE), and described authentication method may further comprise the steps:
A. in security server, carry out computing based on random number (RAND) and secret keys, thus generation key derivation material (Ck, Ik);
B. together with described random number and together with other data (AUTN, XRES, MAC, SQN, Ak, AMF) together from security server (SS) to certificate server (AS) send described key derivation material (Ck, Ik);
C. in described certificate server, (Ck, at least a portion Ik) is revised at least a portion (MAC of described other data by described key derivation material *, SQN *);
D. send described other data (AUTN, AUTN by host's terminal to described individual token *, XRES, MAC, SQN, Ak, AMF, MAC *, SQN *) and described random number (RAND);
E. in individual token, (RAND) carries out computing based on the random number that receives, so that recomputate described key derivation material (Ck, described at least a portion Ik) of the described part that is used to revise other data in certificate server;
F. in token, use at least a portion of the described key derivation material that recomputates to come the modification part of other data that decipher receives.
2. method according to claim 1, it is characterized in that, described decipher step to the modification part of other data of receiving comprises: be identified in other data that will receive and send to before the individual token, whether the described part of other such data is modified.
3. method according to claim 1 is characterized in that, the described decipher step of the modification part of other data of receiving is comprised: the validity of the desired value of other data that check receives.
4. method according to claim 1 is characterized in that, the described part that recomputates of key derivation material is retained in the individual token.
5. method according to claim 1, it is characterized in that described method comprises: token is carried out recomputating the described part of other data based on the random number of described reception, and carry out the remodifying of the described part of other data based on described key derivation material, and the modification of other data divisions that will recomputate and remodify and other data that receive partly compares.
6. method according to claim 1, it is characterized in that it comprises: token is partly carried out contrary the modification to the modification that receives of other data, so that fetch the non-modification part of initial other data that produce of security server, in token, recomputate the described part of other data, and initial other data that produce of security server non-revised the part that recomputates in part and other data compare based on the random number of described reception and based on secret keys.
7. according to the described method of aforementioned arbitrary claim, it is characterized in that: the described modification part of other data is to be generally used for to the MAC of token certificate server (message authentication code).
8. according to the described method of last claim, it is characterized in that: token is carried out recomputating of MAC.
9. according to the described method of last claim, it is characterized in that: individual token is made amendment to the MAC that recomputates based on the key derivation material, and compares from the modification MAC that certificate server receives with the described amended MAC that recomputates and by host's terminal.
10. according to the described method of one of claim 7-9, it is characterized in that: token uses the key derivation material that the modification MAC that receives is carried out contrary the modification, and the MAC that recomputates and the MAC of contrary amended reception are compared.
11. according to the described method of aforementioned arbitrary claim, it is characterized in that: the key derivation material comprises at least a portion of cryptographic key (Ck).
12. according to the described method of aforementioned arbitrary claim, it is characterized in that: described at least a portion of key derivation material comprises Integrity Key (Ik).
13. according to the described method of aforementioned arbitrary claim, it is characterized in that: it comprises following replacement step:
G1), then in token, keep at least one part of key derivation material if utilized described at least a portion of key derivation material to revise the described part of other data;
G2), then send the described part of key derivation material to terminal from token if the described part of other data is not modified.
14. method according to claim 13, it is characterized in that described method comprises: individual token recomputates based on the random number of the described reception described part to other data, and both do not corresponded to the part that recomputates of other data at the described receiving unit of other data, also do not correspond under the situation of the described part that recomputates of utilizing other data that the key derivation material remodifies, individual token is retained in token inside with the described part of key derivation material.
15. according to the described method of aforementioned arbitrary claim, it is characterized in that: individual token sends response (RES) by terminal to certificate server, and certificate server utilizes described response to authenticate individual token, and it is characterized in that: in case certificate server and individual token authenticate mutually, individual token is just from key derivation material (Ck, Ik) derive internal key (KsNAFint) and external key (KsNAFext) in, described internal key (KsNAFint) is used to set up the escape way between individual token and the remote server, this passage passes terminal but this terminal is stashed, and described external key (KsNAFext) is used to set up the escape way between terminal and the remote server.
16. the authentication method in the network, this network comprise that security server, certificate server and at least one hold the terminal of place individual token, described authentication method may further comprise the steps:
A. in security server, carry out computing based on random number (RAND) and secret keys, with produce the key derivation material (Ck, Ik);
B. together with described random number and together with other data (AUTN, XRES, MAC, SQN, Ak, AMF) together from security server (SS) to certificate server (AS) send described key derivation material (Ck, Ik);
B '. in described certificate server, use the Data Base of the individual token in the network to determine that token to be certified is the individual token of the first kind or the individual token of second type,
If token is the individual token of the first kind:
C1. (Ck, at least a portion Ik) is revised at least a portion (MAC of described other data by described key derivation material *, SQN *);
D1. send described other data (AUTN, AUTN by host's terminal to described individual token *, XRES, MAC, SQN, Ak, AMF, MAC *, SQN *) and described random number (RAND);
E1. in individual token, recomputate described key derivation material (Ck, described at least a portion Ik) based on RAND that receives and secret keys K;
F1. in token, use described at least a portion that recomputates of key derivation material to come the modification part of other data that decipher receives;
G1. the described part that recomputates with the key derivation material is retained in the token,
If token is the individual token of second type:
C2. send described other data (AUTN, AUTN by host's terminal to described individual token *, XRES, MAC, SQN, Ak, AMF, MAC *, SQN *) and described random number (RAND), and do not carry out described modification based on the described part of key derivation material;
D2. in individual token, recomputate described key derivation material (Ck, described at least a portion Ik), and send described at least a portion of key derivation material from individual token to terminal based on the RAND that receives and secret keys K.
17. token that is used for the terminal of communication network, described communication network comprises certificate server and produces the security server of key derivation material based on random number and secret keys (K), described individual token comprises based on the random number that is received and the secret keys (K) that are stored in the individual token and recomputates key derivation material (Ck, Ik) program command is characterized in that this individual token comprises that the part that recomputates of using the key derivation material comes the program command of other data that decipher receives.
18. individual token according to claim 17 is characterized in that it comprises the program command that is used for the key derivation material that recomputates is retained in this individual token.
19. individual token according to claim 17, it is characterized in that this token comprises based on the random number of the described reception described part to other data recomputates, described part based on the key derivation material remodifies described part, and the program command that partly compares of the modification that receives of other data divisions that will recomputate and remodify and other data.
20. individual token according to claim 17, it is characterized in that this token comprises partly carries out contrary the modification to the modification that receives of other data, so that fetch the non-modification part of initial other data that produce of security server, recomputate the described part of other data based on the random number of described reception and based on secret keys (K), and initial other data that produce of security server non-revised the program command that the part that recomputates in part and other data compares.
21. individual token according to claim 17 is characterized in that: the described modification part of other data is to be generally used for to the MAC of this token certificate server (message authentication code).
22., it is characterized in that recomputating of this token execution MAC according to the described individual token of last claim.
23. individual token according to claim 21, it is characterized in that: this individual token is made amendment to the MAC that recomputates based on the described part of key derivation material, and compares from the modification MAC that certificate server receives with the described MAC that recomputates and remodify and by host's terminal.
24. individual token according to claim 21 is characterized in that: this token uses the described part of key derivation material that the modification MAC that receives is carried out contrary the modification, and the MAC that recomputates and the MAC of contrary amended reception are compared.
25. according to the described individual token of one of claim 17-24, it is characterized in that: the key derivation material comprises at least a portion of cryptographic key (Ck).
26. according to the described individual token of aforementioned arbitrary claim, it is characterized in that: the key derivation material comprises at least a portion of Integrity Key (Ik).
27. individual token according to claim 17, it is characterized in that: the described decipher to other data of receiving comprises: whether the described part of other data that identification receives has utilized described key derivation material to revise, and this individual token is carried out following replacement step:
G1) if utilized described at least a portion of key derivation material to revise the described part of other data, then at least one of this token reservation key derivation material given certain portions;
G2) if the described part of other data is not modified, then this token sends the described to certain portions of key derivation material to terminal.
28. individual token according to claim 27, it is characterized in that: this individual token recomputates based on the random number of described reception and based on the described part of secret keys (K) to other data, and both do not corresponded to the part that recomputates of other data at the described receiving unit of other data, do not correspond under the situation of the described part that recomputates of utilizing the key derivation material modification yet, the key derivation material is retained in this token inside to certain portions.
29. according to the described individual token of one of claim 17-28, it is characterized in that: this individual token sends response (RES) by terminal to certificate server, and certificate server utilizes described response to authenticate this token, and it is characterized in that: in case certificate server and certificate server authenticate mutually, individual token is just from key derivation material (Ck, Ik) derive internal key (KsNAFint) and external key (KsNAFext) in the described part, described internal key (KsNAFint) is used to set up the escape way between this individual token and the remote server, this passage passes terminal but this terminal is stashed, and described external key (KsNAFext) is used to set up the escape way between terminal and the remote server.
30. the certificate server in the communication network, it authenticates a plurality of terminals, and wherein each terminal is all held the place individual token, and described certificate server is carried out following steps:
A. from security server receive random number and based on described random number and other data (AUTN, XRES, MAC, SQN, Ak, AMF) the key derivation material of Chan Shenging (Ck, Ik);
B. (Ck, at least a portion Ik) is revised at least a portion (MAC of described other data by described key derivation material *, SQN *);
C. send described other data (AUTN, AUTN by the individual token of terminal in being hosted on this terminal *, XRES, MAC, SQN, Ak, AMF, MAC *, SQN *) and described random number (RAND).
31. a computer program that is used for the certificate server of communication network, this certificate server authenticates a plurality of terminals in the network, and wherein each terminal is all held the place individual token, and described computer program comprises the program command that is used to carry out following steps:
A. from security server receive random number and based on described random number and other data (AUTN, XRES, MAC, SQN, Ak, AMF) the key derivation material of Chan Shenging (Ck, Ik);
B. (Ck, at least a portion Ik) is revised at least a portion (MAC of described other data by described key derivation material *, SQN *);
C. send described other data (AUTN, AUTN by the individual token of terminal in being hosted on this terminal *, XRES, MAC, SQN, Ak, AMF, MAC *, SQN *) and described random number (RAND).
CN2005800205142A 2004-06-21 2005-06-20 Method for securing an authentication and key agreement protocol Expired - Fee Related CN1973569B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
EP04291562.9 2004-06-21
EP04291562A EP1626598A1 (en) 2004-06-21 2004-06-21 Method for securing an authentication and key agreement protocol
PCT/IB2005/001746 WO2006000875A2 (en) 2004-06-21 2005-06-20 Method for securing an authentication and key agreement protocol

Publications (2)

Publication Number Publication Date
CN1973569A true CN1973569A (en) 2007-05-30
CN1973569B CN1973569B (en) 2010-09-22

Family

ID=34931189

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2005800205142A Expired - Fee Related CN1973569B (en) 2004-06-21 2005-06-20 Method for securing an authentication and key agreement protocol

Country Status (6)

Country Link
US (1) US7991994B2 (en)
EP (2) EP1626598A1 (en)
JP (1) JP5087393B2 (en)
CN (1) CN1973569B (en)
ES (1) ES2759340T3 (en)
WO (1) WO2006000875A2 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011022999A1 (en) * 2009-08-27 2011-03-03 中兴通讯股份有限公司 Method and system for encrypting video conference data by terminal
CN102902553A (en) * 2012-08-23 2013-01-30 福建富士通信息软件有限公司 Remote card issuing method of mobile phone payment card based on JAVA card
CN103634115A (en) * 2013-11-26 2014-03-12 常州大学 Identity-based method for generating certification secret key negotiation protocol
CN103634104A (en) * 2013-11-26 2014-03-12 常州大学 Three-party authentication key agreement protocol generating method based on certificates

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7813511B2 (en) * 2005-07-01 2010-10-12 Cisco Technology, Inc. Facilitating mobility for a mobile station
US9137012B2 (en) 2006-02-03 2015-09-15 Emc Corporation Wireless authentication methods and apparatus
EP1987607B1 (en) * 2006-02-06 2013-11-20 LG Electronics Inc. Mbms dual receiver
EP1997294A4 (en) * 2006-03-22 2014-08-27 Lg Electronics Inc Security considerations for the lte of umts
US8495380B2 (en) * 2006-06-06 2013-07-23 Red Hat, Inc. Methods and systems for server-side key generation
DE102007033847A1 (en) 2007-07-18 2009-01-22 Bernd Prof. Dr. Freisleben Method for cryptographic key agreement between two communication devices in Internet protocol communications networks, involves arranging one or multiple Network address translation routers between two communication devices
DE102007033845A1 (en) 2007-07-18 2009-01-22 Bernd Prof. Dr. Freisleben Public/private cryptographic key producing method for executing key agreement in digital data carrier, involves converting terminal end point address into key portion by applying inverse function of trap door one-way function for agreement
DE102007033846A1 (en) 2007-07-18 2009-01-22 Freisleben, Bernd, Prof. Dr. Cryptographic key generating method for encrypted digital communication between communication devices, involves converting end product address of communication device into part of key, and utilizing address for key agreement
DE102007033848A1 (en) 2007-07-18 2009-01-22 Freisleben, Bernd, Prof. Dr. Method for verification of ownership of terminal address of communications device in network, involves verifying ownership of terminal address by communications device belonging to it, by private cryptographic key
PL2528268T6 (en) * 2008-06-06 2022-04-25 Telefonaktiebolaget Lm Ericsson (Publ) Cyptographic key generation
EP2202662A1 (en) * 2008-12-24 2010-06-30 Gemalto SA Portable security device protecting against keystroke loggers
KR101630755B1 (en) * 2010-01-15 2016-06-15 삼성전자주식회사 Method and apparatus for securely communicating between mobile devices
US9026805B2 (en) 2010-12-30 2015-05-05 Microsoft Technology Licensing, Llc Key management using trusted platform modules
US8769288B2 (en) * 2011-04-22 2014-07-01 Alcatel Lucent Discovery of security associations
US9008316B2 (en) * 2012-03-29 2015-04-14 Microsoft Technology Licensing, Llc Role-based distributed key management
WO2014001860A1 (en) * 2012-05-18 2014-01-03 Laurus Labs Private Limited Process for preparation of montelukast sodium

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4531021A (en) * 1980-06-19 1985-07-23 Oak Industries Inc. Two level encripting of RF signals
US5117458A (en) * 1989-11-01 1992-05-26 Hitachi, Ltd. Secret information service system and method
DE19514084C1 (en) * 1995-04-13 1996-07-11 Siemens Ag Processor-controlled exchange of cryptographic keys, e.g. in mobile communications
US5999629A (en) * 1995-10-31 1999-12-07 Lucent Technologies Inc. Data encryption security module
US6298196B1 (en) * 1996-09-05 2001-10-02 Sony Corporation Digital recording apparatus and copyright protection method thereof
JPH11122239A (en) * 1997-10-16 1999-04-30 Sony Corp Information processor, information processing method and transmission medium
JP2000048478A (en) * 1998-05-26 2000-02-18 Yamaha Corp Digital copy control method, and device using the method
US6570990B1 (en) * 1998-11-13 2003-05-27 Lsi Logic Corporation Method of protecting high definition video signal
CN1248837A (en) * 1999-09-08 2000-03-29 北京龙安计算机技术开发有限公司 Personal key encryption method
US7194765B2 (en) * 2002-06-12 2007-03-20 Telefonaktiebolaget Lm Ericsson (Publ) Challenge-response user authentication
US7574599B1 (en) * 2002-10-11 2009-08-11 Verizon Laboratories Inc. Robust authentication and key agreement protocol for next-generation wireless networks
DE10307403B4 (en) * 2003-02-20 2008-01-24 Siemens Ag Method for forming and distributing cryptographic keys in a mobile radio system and mobile radio system
US8260259B2 (en) * 2004-09-08 2012-09-04 Qualcomm Incorporated Mutual authentication with modified message authentication code

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011022999A1 (en) * 2009-08-27 2011-03-03 中兴通讯股份有限公司 Method and system for encrypting video conference data by terminal
CN102902553A (en) * 2012-08-23 2013-01-30 福建富士通信息软件有限公司 Remote card issuing method of mobile phone payment card based on JAVA card
CN102902553B (en) * 2012-08-23 2015-09-30 福建富士通信息软件有限公司 Based on the long-range hair fastener method of the mobile phone payment card of JAVA card
CN103634115A (en) * 2013-11-26 2014-03-12 常州大学 Identity-based method for generating certification secret key negotiation protocol
CN103634104A (en) * 2013-11-26 2014-03-12 常州大学 Three-party authentication key agreement protocol generating method based on certificates

Also Published As

Publication number Publication date
ES2759340T3 (en) 2020-05-08
WO2006000875A3 (en) 2006-08-24
US7991994B2 (en) 2011-08-02
US20070250712A1 (en) 2007-10-25
WO2006000875A2 (en) 2006-01-05
EP1769650B1 (en) 2019-09-04
EP1769650A2 (en) 2007-04-04
EP1626598A1 (en) 2006-02-15
CN1973569B (en) 2010-09-22
JP5087393B2 (en) 2012-12-05
JP2008503800A (en) 2008-02-07

Similar Documents

Publication Publication Date Title
CN1973569B (en) Method for securing an authentication and key agreement protocol
CN108768988B (en) Block chain access control method, block chain access control equipment and computer readable storage medium
US8171527B2 (en) Method and apparatus for securing unlock password generation and distribution
RU2480925C2 (en) Generation of cryptographic key
CN102546155B (en) On-demand safe key generates method and system
EP2905719B1 (en) Device and method certificate generation
KR101095239B1 (en) Secure communications
JP4263384B2 (en) Improved method for authentication of user subscription identification module
US10057071B2 (en) Component for connecting to a data bus, and methods for implementing a cryptographic functionality in such a component
US20080095361A1 (en) Security-Enhanced Key Exchange
US20020077078A1 (en) Method of securing communication
US20100128876A1 (en) Method of distributing encoding/decoding program and symmetric key in security domain environment and data divider and data injector therefor
US20180287787A1 (en) Method and system for providing security for the first time a mobile device makes contact with a device
CN101990201B (en) Method, system and device for generating general bootstrapping architecture (GBA) secret key
CN106912046A (en) One-pass key card and vehicle pairs
US8121580B2 (en) Method of securing a mobile telephone identifier and corresponding mobile telephone
CN1783777B (en) Enciphering method and system for fixing communication safety and data and fixing terminal weight discriminating method
EP1343342B1 (en) Security protection for data communication
CN112367329B (en) Communication connection authentication method, device, computer equipment and storage medium
CN101247443B (en) Method for operating a voip terminal device and a voip terminal device
KR101298216B1 (en) Authentication system and method using multiple category
US11974123B2 (en) Encrypted communication between an appliance and a device on a motor vehicle
CN101176296A (en) Network assisted terminal to SIMM/UICC key establishment
CN106230595A (en) A kind of authorized agreement of credible platform control module
KR101236894B1 (en) Mutuality Secure Authentication System in Wire-Wireless Communication Networks and Authentication Method of the Same

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C56 Change in the name or address of the patentee

Owner name: SETEC OY

Free format text: FORMER NAME: AXALTO SA

CP03 Change of name, title or address

Address after: East France

Patentee after: GEMALTO OY

Address before: French Meudon

Patentee before: AXALTO S.A.

CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20100922

CF01 Termination of patent right due to non-payment of annual fee